- full documentation of all the data collected and passed over for one return flight by one passenger
- full list of the 43 categories of personal data demanded by USA
Introduction

European airlines are passing on the PNR (Passenger Name Record) data they hold on passengers who have travelled to, from or through the US, to the US customs authorities. This measure was agreed in an interim agreement between the European Commission and the United States Customs on 17 and 18 February 2003, and has been in force from the US side since 5 March to comply with the requirements in the US Transport Security Act (November 2001).

A letter with which the Spanish airline Iberia sent in answer to the inquiries made by Spanish citizen, Arturo Quirantes Sierra, as to whether his data had been made available to US authorities when he flew to New York on 26 March 2003, says that "The information to which the United States Customs has had access is only the one contained in the PNR (Passenger Name Register) of the passenger, and not those that are contained in the Iberia Plus frequent flyer databases or other "ticketing" systems."

Quirantes Sierra has put in a complaint with the Spanish data protection authority (Agencia de Proteccion de Datos), as he considers that "According to EU privacy rules, the transfer of personal data to third countries that do not have laws that adequately protect the privacy of individuals is forbidden, unless the individual consents to the transfer of his/her data." In the formal complaint, Quirantes Sierra lists the kind of information that is included, as well as expressing his concern about the fact that at the time when the agreement was reached it was announced that the information could be used for "law enforcement purposes", and that they would be held for "the time required for the objective for which they were collected".

He has opened a webpage (see below) showing the files concerning him that Iberia has made available to him (including data held on the PNR, "ticketing" and Amadeus systems) after his inquiry, as well as correspondence between himself and the airline and data protection authorities, and background articles.

He highlights that the interim agreement between the European Commission and US Customs stipulates that the latter body may share the data with other law enforcement agencies for "legitimate security policing", without including limitations included in EU legislation such as the need for the reasons for the use, retention and processing of personal data to be clearly stated, and for the data to be used solely for the purpose for which it was collected.